Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Owasp top-ten-mapping-2015-05-lwc

Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.

However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.

10.
10
Proactive Control Risk(s) prevented
C1: Parameterize Queries
Leverage to Data Access Layer how
parameters are interpreted before executing
SQL.
A1 Injection
Injection flaws, such as SQL injection occur
when untrusted data is sent to an
interpreter as part of a command or query.

16.
16
Proactive Control Risk(s) prevented
C2: Encode Data
Encode data before use in a parser ( JS, CSS ,
XML )
A1 Injection
Injection flaws, such as SQL injection occur
when untrusted data is sent to an
interpreter as part of a command or query.
A3 XSS
XSS allows attackers to execute scripts in the
victim’s browser which can hijack user
sessions, deface web sites, or redirect the
user to malicious sites.

19.
19
Proactive Control Risk(s) prevented
C3: Validate all inputs
For web applications this includes:
• GET and POST parameters:
• File uploads
• any or all of this data could be
manipulated by an attacker.
•A1 Injection
•A3 XSS
•A10 Unvalidated redirects and
forwards

21.
C4: Access Control good practices
• Deny by default
• Force all requests to go through access control checks
• Check on the server when each function is accessed
21

22.
22
Proactive Control Risk(s) prevented
C4: Implement Appropriate
Access Controls
•Deny by default
•Force all requests to go through access
control checks
•Check on the server when each function is
accessed
A4-Insecure Direct Object
References
A direct object reference occurs when a
developer exposes a reference to an internal
implementation object, such as a file,
directory, or database key. Without an
access control check, attackers can
manipulate these references to access
unauthorised data.
A7-Missing Function Level
Access Control
Attackers will be able to forge requests in
order to access functionality without proper
authorization.

33.
33
Proactive Control Risk(s) prevented
C6: Data Protection and privacy
• Data encryption at rest
• Data encryption in transit
A6: Sensitive Data Exposure
Sensitive data needs extra protection such
as encryption at rest or in transit, as well as
special precautions when exchanged with
the browser.